Search

How can somebody spy on your webcam?

The recent webcam spying scandal at a school in Pennsylvinia has caused worldwide uproar in the news, and proves that paranoiac scenarios are actually not so far stretched. In the era of Skype, ChatRoulette, and the ubiquitous use of security webcameras, this case raises serious questions about privacy and Internet security. As I will combine my introductory post and my question, here first some background information.

The spying scandal at Harriton High School

In mid-February, a high school in Pennsylvania got in the spotlight of the news- and now of the FBI- as it was revealed that school officials were spying on their students by secretly activating the webcameras of school-issued laptops, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of selling and taking drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft.

It is not unusual that schools monitor and spy on their students, as an documentary segments called „How Google saved a school“ indicates. However, Harriton school stands out as teachers accessed the webcameras of their students in their private homes, a reason why the FBI is now investigating the case.

The scandal poses general questions about the education system, authority, and where to draw the line between monitoring and spying. What is the legal basis or guideline? But first of all, I’d like to know how this is technologically possible. Considering that most laptops have built-in cameras and have become all purpose devices that we use 24/7, how big is the risk of such kind of surveillance?

How can somebody spy on your webcam?

A simple Twitter search for #spycam quickly leads me to what seems the ultimate information source about the technology behind the Harriton Hight School scandal. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to activate the camera remotely and take secret pictures. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software would qualify as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“

The market for spy camera software seems to be tremendous! On Google search, a multitude of companies sell this kind of product. For example, Power Spy 2010 proudly claims that it is „[p]erfect for catching cheaters, monitoring employees, children and spouse and even investigating crimes!“

For reasons to spy on your spouse and other healthy relationship advice, please click on the picture above.

The software allows you to monitor all computer and Internet activities, take screen snapshots like a surveillance camera, record usernames and passwords, but is „completely legal“ according to the company that sells it. However, there are also cheaper ways to turn your webcam into a spying tool, you could simply “use Skype as a covert snooper.“

Legal issues involved

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal, but how about soundless spying with Power Spy 2010? For example, is it legal to use this software in an company or could you give your consent to spy? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Collecting usernames and passwords without previous consent is certainly a violation of the Forth Amendment. Another troubling factor is that in Harriton High School, only official (and monitored) computers were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax). How will this case be resolved?

Welcome to hacker culture!

Obviously, another central question is whether somebody can intrude your computer and gain control of your webcam by other means. As I am quite illiterate in technical issues, I turn to the wisdom of the crowd, and search the answer on Google, web forums, and even Yahoo Answer. I found out that all you need is trojan virus which can remotely access your webcam, and that a normal Windows firewall will not stop. Another option is to turn to social engeneering and to get crucial information (in-)voluntarily from the victim rather than breaking into its system. How easy/difficult is this?

Kevin Mitnick, worldwide hacker celebrity and now security consultant

To my surprise, the hacker community is very generous about sharing its tips and tricks: there are plenty of fun tutorials on Google on how to hack into your friends’ computers and spy trough their webcams. In addition, I learn that under the surface of anarchy, there are quite institutionalized platforms and various social norms. There even exists a Hacker Quarterly, and a related biennial hacker conference called HOPE (Hackers On Planet Earth), where the state of the art and future challenges are discussed. More basic, hacking isn’t only about hacking: different subcultures and -groups exist, like white hats (=ethical hackers, specialized in penetration testing), or black hats (=specialized in unauthorized penetration, seek personal profit). Is Stryde Hax therefore a white hat? Has he been a black hat before, like Kevin Mitnick? Who designs these categories? Plenty of questions to follow…

15 Comments

ElzbthMllr09:32, Mar 2nd, 10

I find this very scary. We discussed a lot of these issues within the first few weeks in class when someone (sorry forgot who!) documented walkind around Washington Square Campus and seeing how many cameras there were. This is pretty different as the cameras are taking pictures of people in private without their knowing it – which is different from being in a public space. I think you should concentrate on trying to understand the legal issues here and trying to figure out what possible directiosn teh courts could go in here. I think it’s interesting that major civil rights groups like ACLU and advocacy organizations like EFF are so heavily involved, it speaks to the importance of internet privacy and digital rights as human rights in the 21st century.

Harris10:09, Mar 2nd, 10

So are you going to try spying on us to figure out how it works?

HoniehLayla10:43, Mar 2nd, 10

This is a VERY disturbing issue. I understand that the school did something horribly wrong by invading these student’s privacy by peeping into their lives at home, but imagine how many mentally disturbed people can do this to just about anyone.

I did a search on this topic on Google, and there were 6.5 million hits on just the “HOW TO” portion of the subject.

This topic has a lot of angles and I’m really interested if your going to dive into internet privacy, or what type of legal statutes should be created to protect people from this type of digital invasion.

I will definitely check my webcam more to see if the light is green after reading your post!

nadine12:01, Mar 2nd, 10

@Elizabeth: I was actually me that walked around Washington Square Campus and seeing how many cameras there were, I wanted to expand my first travelogue..
@Harris: wait for my concluding post (one of my lawyer friends totally freaked out when I told him about the project! I think I need a written spy authorization!!)
@Honieh: thanks for the feedback, I will try to get more legal information!

Jimena12:21, Mar 2nd, 10

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

I can’t believe that legislation is so behind regarding video. What makes conversations more important (and more deserving of privacy) than actions?

I am sure that this limitation has had severe consequences in getting to jail criminals that have used cameras as tools. The topic is super interesting, NAdine. I look forward for more info.

Harris12:29, Mar 2nd, 10

Jimena, the history of privacy laws in the US shows that legislation is always struggling to catch up with technology.

Nadine, now i’m extremely curious!

Alexandra13:31, Mar 2nd, 10

Oh my god, this is crazy! I hope the kid wins his case. What the school did is absolutely ridiculous. As they say, there is no such thing as a free lunch – or computer, apparently. Why do school officials think this sort of thing is ok?!

DanJee14:21, Mar 2nd, 10

I was very interested in this issue when it first got released to the press. However, I think this is an extreme case. Clearly, the school administrative people had way too much free time and were in way over their heads. Absolutely no doubt that they stepped over a legal boundary there. But with regards to hackers being able to spy on you through webcam, this is not a new idea. However, I highly highly doubt hackers with such capabilities would bother to do something like this while they could be destroying the world with other menacing things.

Ryan15:52, Mar 2nd, 10

Also, the tricky thing as well that the students who were given the computers from the school was that if they signed a consent form to use the computer, I wonder what the fine print said, if they bothered to read it at all. I’m assuming that they had to sign for something that held them responsible for the laptop that they were borrowing, but I’d be curious to what kind of consent or liability form that they agreed to sign.

This was a very scary case that highlights and even amplifies the issue of personal privacy and spying, tapping, or voyeurism.

I’m very surprised like everyone else about the legislation that constitutes illegal spying because of the use of sound. That’s really weird.

What has been the latest development of the case brought against the school by the parents and the FBI???

leslie22:11, Mar 27th, 10

wow two typos in one sentence.. get a spell checker already.. jeez

nadine04:46, Mar 28th, 10

Better? Thanks a million! I’ll take gladly English lessons with you!

mushon09:16, Mar 28th, 10

Nadine, just for the record, the Leslie who left that snarky remark about spelling is not a student in our class. We definitely welcome constructive feedback and typos should indeed be minimized, but I do feel like this comment could have used a slightly more gentle language.

“In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim.”

Mike03:13, Jan 17th, 11

I understand invasion of privacy can be prosecuted. Programs like http://www.spycamlizard.com are legal, as long as you don’t stick them in places where it would intentionally invade other’s privacy.

Of course tracking and theft identifying software is cool, but activating them without cause is not.